BlackEnergy

Source: Wikipedia, the free encyclopedia.

BlackEnergy Malware was first reported in 2007 as an

distributed denial of service attacks.[1] In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins.[2] A Russian-based group known as Sandworm (aka Voodoo Bear) is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.[3]

BlackEnergy 1 (BE1)

BlackEnergy's code facilitates different attack types to infect target machines. It is also equipped with server-side scripts which the perpetrators can develop in the command and control (C&C) server. Cybercriminals use the BlackEnergy bot builder toolkit to generate customized bot client executable files that are then distributed to targets via email spam and phishing e-mail campaigns.[4] BE1 lacks the exploit functionalities and relies on external tools to load the bot.[5] BlackEnergy can be detected using the YARA signatures provided by the United States Department of Homeland Security (DHS).

Key features

[5]

  • Can target more than one IP address per hostname
  • Has a runtime encrypter to evade detection by antivirus software
  • Hides its processes in a system driver (syssrv.sys)

Command types

  • DDoS attack commands (e.g. ICMP flood, TCP SYN flood, UDP flood, HTTP get flood, DNS flood, etc.)[1][clarification needed]
  • Download commands to retrieve and launch new or updated executables from its server
  • Control commands (e.g. stop, wait, or die)

BlackEnergy 2 (BE2)

BlackEnergy 2 uses sophisticated

LZ77 algorithm and encrypted using a modified version of the RC4 cipher. A hard-coded 128-bit key decrypts embedded content. For decrypting network traffic, the cipher uses the bot's unique identification string as the key. A second variation of the encryption/compression scheme adds an initialization vector to the modified RC4 cipher for additional protection in the dropper and rootkit unpacking stub, but is not used in the inner rootkit nor in the userspace modules. The primary modification in the RC4 implementation in BlackEnergy 2 lies in the key-scheduling algorithm.[6]

Capabilities

  • Can execute local files
  • Can download and execute remote files
  • Updates itself and its plugins with command and control servers
  • Can execute die or destroy commands

BlackEnergy 3 (BE3)

The latest full version of BlackEnergy emerged in 2014. The changes simplified the malware code: this version installer drops the main

dynamically linked library (DLL) component directly to the local application data folder.[7]
This variant of the malware was involved in the
December 2015 Ukraine power grid cyberattack.[8]

Plug-ins

[2]

  • fs.dllFile system operations
  • si.dll — System information, “BlackEnergy Lite”
  • jn.dll — Parasitic infector
  • ki.dll
    Keystroke Logging
  • ps.dll — Password stealer
  • ss.dllScreenshots
  • vs.dll — Network discovery, remote execution
  • tv.dll — Team viewer
  • rd.dll — Simple pseudo “remote desktop”
  • up.dll — Update malware
  • dc.dll — List Windows accounts
  • bs.dll — Query system hardware, BIOS, and Windows info
  • dstr.dll — Destroy system
  • scan.dll — Network scan

References

  1. ^ a b Nazario, Jose (October 2007). "BlackEnergy DDoS Bot Analysis" (PDF). Arbor Networks. Archived from the original (PDF) on 21 February 2020. Retrieved 17 April 2019.
  2. ^ a b "Updated BlackEnergy Trojan Grows More Powerful - McAfee Blogs". 14 January 2016.
  3. ^ "Details on August BlackEnergy PowerPoint Campaigns". 4 October 2014.
  4. ^ "BlackEnergy APT Malware - RSA Link". community.rsa.com. 23 March 2016.
  5. ^
    doi:10.14236/ewic/ICS2016.7. Archived from the original
    (PDF) on 20 October 2016. Retrieved 5 November 2022.
  6. ^ a b c Joe Stewart (3 March 2010). "BlackEnergy Version 2 Threat Analysis". www.secureworks.com.
  7. ^ "ThreatSTOP Report: BlackEnergy" (PDF). threatstop.com. 7 March 2016. Archived (PDF) from the original on 28 May 2022. Retrieved 5 November 2022.
  8. ^ Cherepanov A., Lipovsky R. (7 October 2016). "BlackEnergy – what we really know about the notorious cyber attacks" (PDF).
Retrieved from "https://en.wikipedia.org/w/index.php?title=BlackEnergy&oldid=1183574619"